Bug 852691

Summary: openssl 0.9.8 has not picked up locking fixes from upstream
Product: Red Hat Enterprise Linux 5 Reporter: Zdeněk Salvet <salvet>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.7   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-31 10:29:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zdeněk Salvet 2012-08-29 10:29:38 UTC 
Description of problem:
openssl 0.9.8 in RHEL5 and 6 has not picked up locking fixes from upstream
distribution, corruption of internal data can occur in multithreaded 
appplications

How reproducible:
quite difficult
  
Actual results:

Example of valgrind report catching race between X509_STORE_add_crl()
and X509_OBJECT_retrieve_by_subject():
==15574== Thread 4:                                                                                                                                   
==15574== Invalid read of size 8                                                                                                                      
==15574==    at 0x312DEA7123: ??? (in /lib64/libcrypto.so.0.9.8e)                                                                                     
==15574==    by 0x312DE5C9A3: OBJ_bsearch_ex (in /lib64/libcrypto.so.0.9.8e)                                                                          
==15574==    by 0x312DE7E370: ??? (in /lib64/libcrypto.so.0.9.8e)                                                                                     
==15574==    by 0x312DEA70BB: X509_OBJECT_idx_by_subject (in /lib64/libcrypto.so.0.9.8e)                                                              
==15574==    by 0x312DEA70F8: X509_OBJECT_retrieve_by_subject (in /lib64/libcrypto.so.0.9.8e)                                                         
==15574==    by 0x312DEA7339: X509_STORE_get_by_subject (in /lib64/libcrypto.so.0.9.8e)                                                               
==15574==    by 0x31E4A048B0: globus_i_gsi_callback_check_revoked (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)                                     
==15574==    by 0x31E4A0562E: globus_i_gsi_callback_cred_verify (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)
==15574==    by 0x31E4A05A31: globus_gsi_callback_handshake_callback (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)
==15574==    by 0x312DEA3E2E: ??? (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DEA476A: X509_verify_cert (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x31E4A057BA: globus_gsi_callback_X509_verify_cert (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)
==15574==  Address 0x4dae9b8 is 8 bytes inside a block of size 32 free'd
==15574==    at 0x4A0620D: realloc (vg_replace_malloc.c:476)
==15574==    by 0x312DEDB0EF: CRYPTO_realloc (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DE7E43C: sk_insert (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DEA77A4: X509_STORE_add_crl (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DEA8CED: X509_load_crl_file (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DEA939B: ??? (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DEA73AE: X509_STORE_get_by_subject (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x31E4A048B0: globus_i_gsi_callback_check_revoked (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)
==15574==    by 0x31E4A0562E: globus_i_gsi_callback_cred_verify (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)
==15574==    by 0x31E4A05A31: globus_gsi_callback_handshake_callback (in /usr/lib64/libglobus_gsi_callback.so.0.4.1)
==15574==    by 0x312DEA3E2E: ??? (in /lib64/libcrypto.so.0.9.8e)
==15574==    by 0x312DEA476A: X509_verify_cert (in /lib64/libcrypto.so.0.9.8e)
Comment 1 Tomas Mraz 2012-08-29 11:17:46 UTC 
Thanks for the report, however to properly prioritize your request you need to use the regular Red Hat support channels. Please see http://www.redhat.com/support
Comment 2 Zdeněk Salvet 2012-08-29 11:45:28 UTC 
I have noticed the problem on systems not covered by Red Hat support subscription
(in Scientific Linux originally). I just wanted to let you know about this issue
because its effects are likely to be very difficult to debug.
Comment 3 Tomas Mraz 2013-10-31 10:29:08 UTC 
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification. Issue is already fixed in RHEL-6/7.